Shanghai Expo Spam Carries Backdoor

Trend Micro senior advanced threats researcher Paul Ferguson received a spam claiming to be from the Bureau of the Shanghai World Expo, which is coordinating “Expo 2010,” from a technology news group journalist who actually received it.

The spammed message contains a malicious attachment detected by Trend Micro as TROJ_PIDIEF.ACV. This malicious .PDF file exploits a known flaw in Adobe Acrobat and Reader, which was fixed in an out-of-cycle patch in the middle of February. Attacks using this vulnerability were also seen earlier this month.

However, the method that was used to exploit this vulnerability differed from that used earlier this year. According to Trend Micro researcher Rajiv Motwani, these .PDF files have an embedded malicious .TIFF file. TIFF, short for Tag Image File Format, is a popular image format used to store high-quality images.

This embedded .TIFF file, when processed by vulnerable Adobe products, triggers the vulnerability and the execution of arbitrary code. In this particular case, a backdoor detected by Trend Micro as BKDR_RIPINIP.I is dropped onto and executed on the affected system.

Further analysis of this threat is ongoing so updates to this post are likely. In the meantime, users should demonstrate increased vigilance when opening email messages and attachments from unexpected sources.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by blocking the spammed messages via the email reputation service. In addition, both the malicious .PDF file and the backdoor payload are detected by the file reputation service.

Update as of March 26, 2010, 3:25 a.m. (GMT +8:00):

Further analysis of BKDR_RIPINIP.I indicates that it gathers system information such as the name, CPU information, OS version, and IP address of the affected computer. It then connects to a remote server to which it sends the stolen information. It waits for a reply from the server, possibly for remote malicious commands to execute on the affected system. As of this writing, however, our threat engineers have not received any reply from the remote server during analysis.

Update as of March 26, 2010, 5:40 a.m. (GMT +8:00):

Web reputation technology now blocks the associated domain server to which the backdoor connects to and sends stolen information. Trend Micro Deep Security™ can also help shield users from the vulnerability related to this attack. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-014 release.

Update as of March 30, 2010, 4:40 p.m. (GMT +8:00):

Trend Micro advanced threats researcher Paul Ferguson has been quoted by media sources regarding this threat. His thoughts can be found in these ComputerWorld and Network World articles.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: